Penetration/Application Testing collaboration tools
3 views
Skip to first unread message
Joe Haldon
Aug 5, 2008, 4:34:46 PM8/5/08
to Digital Paranoia
What are you folks using to collaborate and share data during
assessments?
I came across a neat tool for collaborated penetration testing called
dradis. In the past I've kept track of findings in notepad or some
such text file, made screenshots etc. Sometimes when we were short on
time we would start writing the draft word document report and
findings would funnel straight into that. If groups of larger than
two are involved it can be difficult to manage, the document can only
be edited by one person at a time. And if word crashes you are lucky
if you can recover your work.
I need a system where if I'm working on a web app and I want to show
'al' a neat trick of dumping the tables, I just copy and paste the url/
query and 'al' can click on it and get the same result. We have a
neat utility that collects scan data but its not really designed for
things like app testing. It's main feature was data correlation.
In the past I've used Wikis. Wiki's are a great way to share
information. The last time I used a wiki I found it a little
cumbersome and not as 'real-time' as I'd like it to be. If wiki had a
chat function maybe? Perhaps wiki combined with jabber.
There is a new tool called dradis that might be the solution I'm
looking for:
dradis is an open source tool for sharing information during Security
Testing.
While plenty of tools exist to help in the different stages of the
test (information gathering, discovery, exploitation, etc.) not so
many exist to share interesting information captured.
Not sharing the information available in an effective way will result
in exploitation oportunities lost and the overlapping of efforts.
http://dradis.nomejortu.com/
Curiously I haven't seen anything on this tool, no other reviews.
Dradis is written in ruby, uses a database backend (sqlite3, mysql
etc) and is in beta stage. I'm not sure I trust it yet to keep all my
results. Would be a bad deal if on an assessment and a bug in the
code made all the data aquired disappear. Dradis uses a client /
server topology, so should take a careful look at how it passes data
over a network. Last, it should be mentioned, habits are hard to
break. Using dradis will add a bunch more work. I do think that a
tool like this may make collaborating on assessments possible, even
when the testers are geographically distant.
assessments?
I came across a neat tool for collaborated penetration testing called
dradis. In the past I've kept track of findings in notepad or some
such text file, made screenshots etc. Sometimes when we were short on
time we would start writing the draft word document report and
findings would funnel straight into that. If groups of larger than
two are involved it can be difficult to manage, the document can only
be edited by one person at a time. And if word crashes you are lucky
if you can recover your work.
I need a system where if I'm working on a web app and I want to show
'al' a neat trick of dumping the tables, I just copy and paste the url/
query and 'al' can click on it and get the same result. We have a
neat utility that collects scan data but its not really designed for
things like app testing. It's main feature was data correlation.
In the past I've used Wikis. Wiki's are a great way to share
information. The last time I used a wiki I found it a little
cumbersome and not as 'real-time' as I'd like it to be. If wiki had a
chat function maybe? Perhaps wiki combined with jabber.
There is a new tool called dradis that might be the solution I'm
looking for:
dradis is an open source tool for sharing information during Security
Testing.
While plenty of tools exist to help in the different stages of the
test (information gathering, discovery, exploitation, etc.) not so
many exist to share interesting information captured.
Not sharing the information available in an effective way will result
in exploitation oportunities lost and the overlapping of efforts.
http://dradis.nomejortu.com/
Curiously I haven't seen anything on this tool, no other reviews.
Dradis is written in ruby, uses a database backend (sqlite3, mysql
etc) and is in beta stage. I'm not sure I trust it yet to keep all my
results. Would be a bad deal if on an assessment and a bug in the
code made all the data aquired disappear. Dradis uses a client /
server topology, so should take a careful look at how it passes data
over a network. Last, it should be mentioned, habits are hard to
break. Using dradis will add a bunch more work. I do think that a
tool like this may make collaborating on assessments possible, even
when the testers are geographically distant.
Reply all
Reply to author
Forward
0 new messages